- A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE: Unicast Reverse Path -ACL posted 12/18/2005
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


Yep, this logic can be very confusing.  It took me a while to "get it".

Here's the deal:

When you config the verify reverse-path command without an acl, you're
telling the router to drop any packet that comes into this interface
(remember this is an interface command) that shouldn't based on the route

Normally, this works fine as long as routing is symmetric ie packets take
the same transit path coming and going.  But, suppose this isn't true.

Suppose that a router sends a packet to the right (int e0) to get to a given
destination but packets from that same destination come into the router from
the left (int s0).  In this situation, the ip verify reverse-path command if
placed on the "left" interface would drop those packets.

That wouldn't be a good thing.

This is where the acl comes in.  You use this acl to over ride the default
behavior of the ip verify reverse-path command and a "permit" entry tells
the router to over ride the verify command.

IOW, the acl s/b interpreted as saying this - "Permit these packets that ip
verify would drop to come in anyway."

HTH, Tim

-----Original Message-----
From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf Of
Sent: Wednesday, November 30, 2005 12:24 PM
To: Group Study
Subject: Unicast Reverse Path -ACL

Hi Group,
Quick question. If i want to log all packets that fail the RPF check would i
use a permit or deny statement ? Trying to understand the logic.

R1(config-if)#ip verify unicast reverse-path 122

R1(config)#access-list 122 deny ip any any log-input
R1(config)#access-list 122 permit ip any any log-input


Subscription information may be found at: